ietf-asrg
[Top] [All Lists]

Re: [Asrg] Actions and Words

2003-05-10 19:13:46
I realy didn't write the list to become a topic of discussion, I wrote it as evidence to back up a statement I made about putting thought into the problem, and to defend my ability to propose solutions. It was presented as only a survey of my oppinions. I'm sure I could have kept going, but at 25 I thought I had enough.
I do have reasons for every item, and I am happy to tell you what they are.

I would be interested to see lists of other peoples thoughts and feelings on the matter in a short list like this one used to be.

From: <waltdnes(_at_)waltdnes(_dot_)org>
On Thu, May 08, 2003 at 12:34:31AM -0600, John Fenley wrote

> Here's that list:
> 1. Spam is stuff the end users don't want(more or less, barring
>    permmision based marketing and such. this was basicaly AOL's view.)
  Gack, I hate that phrase "permission based marketing".  It's been
distorted by spammers-in-pinstripe-suits (Topica etal) to the point
where it's just another euphemism for spam.

Ok... here is my reasoning:
Lumping ALL unwanted mail together as spam confuses the issue.
Unwanted permission based "marketing" has only 1 difference from the permission based notifications I want to recieve. That difference is in me. I changed. When I signed up for it, I realy did want "car deals" delivered to me. Now I changed my mind. That is the only difference. This is an entirely seperate problem from what I see as true "spam".


> 2. spammers opperate because they can
  DNSbls cure almost all of the problem.

I see DNSbls as a temporary fix, not a cure. They do work to an extent that is usefull now, but so did content filters. We are already seeing the backlash as Zombie machines are becoming a problem.

Nothing is truly going to stop spammers, they will always try. The best we can hope for is to make them behave how we want.

> 3. most spammers are dumb, but some are verry smart(they are the ones > developing advanced tools)
  DMA and ESPC are also rich, and they are willing to throw money at
"the best legislators that money can buy".  These are the people I worry
about.
Again, that is a seperate problem, There are 3 groups, not 2.
Spammers
Marketers/Notifyers/list operators
The Anti-Spam Community

From what I saw at the forum, marketers hate spammers as much, or more than we do. They give marketers a bad name, and ruin the market. We usually lump them together, and go after the easy targets...the marketers. For the most part I think they are doing their best, though there are always some exceptions.

Here though, I was specificaly talking about Dr. Bill Hancock's wonderfull presentation on Hackers, and Trojans, and Worms. I practically quoted him.


> 4. Opt-in mail MUST get to the user.
  End-user-configurable server-side filters are the way to go.

Of course I am going to bring up Choicelist because I havn't seen any better method for handling opt-in mail. It is end-user-configurable, and would be simple to use.

> 5. Opt-out must be available to the user
  End-user-configurable server-side filters are the way to go.

Choicelist.
Like I said in the original posting of this list, I think it fits perfectly with part of my view of the problem.

> 6. Sender authentication is needed badly
  Isn't a 100% solution.  A computer can be trojaned, you'll know that
email is coming from the computer... big deal.

Yes, but the random computer couldn't spoof Amazon or some such yada yada...
That is why I think it is important. It helps. Whitelist filtering cant even stop all the spam without sender authentication of some sort.
I think the IC/AR method can help this though since nothing else realy has.

> 7. spam volume is increasing rapidly.
  Agreed.


> 8. filters are not an end solution.
  Long live DNSbls.  End-user-configurable server-side filters are the
way to go.

I guess I was a little vauge on that one. sorry. I was specificaly thinking of content filters. I class DNSbls in a different category with whitelisting and other non contentbased systems.
I guess anything can be classed as a filter though.

Even so, filters alone are not a true solution. Other mechanisms Social manipulation will play large roles in an end solution.


> 9. any solution must not impede the use of email by the general public.
  Mostly agreed.  I think that average users would be willing to put in
a bit of extra effort if they were promised a lot less spam as a payoff.


> 10. the U.S. government is willing to throw money at the problem.(I
> believe sennator Schumer(Ny) threw out the figure 75 million dollars
> per year, and assured the ftc that money would not be an issue
> impeding any plan they propose)
  The DMA and friends are willing to throw money at "the best
legislators that money can buy".  DNSbls are starting to hurt ESPC and
friends, and you can rest assured that legislation will be introduced to
either ban DNSbls or else "regulate" them into uselessness.

I put this in there as support for my suggestion of government funding for Choicelist about 4 weeks ago.


> 11. I realy want to help solve the problem for 4 reasons: I dislike spam, I > realy think i can make a difference(doing good, and spreading good memes > makes me happy), it will help the economy of all developed nations, and it > will make a good start for my 2016 campaign if I start now to help solve > big problems.(is there anything wrong with thinking ahead, or Honesty?)
  Sorry, as a foreigner, I won't be able to vote for you.

Perhaps by then the whole world will be part of the United Staes of America, then you can vote for me.
Just Kidding...I hope.

> 12. legal solutions alone won't do the job.
  Agreed.  Given the power of the DMA and friends, maybe it would be a
good idea *NOT* to ask for more legislation.

The one piece of legislation I would like to see would be to the effect that ADV labeled mail would be protected, and only the end user could delete them. It will never happen, but I realy think it would help... see #13

> 13. An avenue must be available for UCE to get to the user, or spammers > will try more and more innovative methods to make an avenue of their > own.(by creating the avenue, one can control it)
  ????? This does not compute.  Even spammers aren't *THAT* dumb. If we
offer an avenue for spammers to use, which 99% of end users block at
their end, then the spammers are going to be blocked anyways, and will
seek other ways in.

Lucky #13
I have a Cunning Plan:

Spam has gotten more like real mail I want from friends. I personaly would rather have 10,000 ADV mails in my inbox per day than ten spams a day pretending to come from friends. It is precicely because they are so easy to filter that I would rather have them. I can look for a simple token, and know that it is an ad. I have made it a personal goal to open every mail that I get that begins with ADV to try to condition the mailers behind them to do this more.

Spammers want to get to the inbox. Yes or No?
Give them an easy way to do this, and they will. Yes or No?
This easy way makes it easy for me to sort my mail, as well as remove the spammers incentive to innovate new ways to bypass the content filters...A loosing battle for us as filters are always a step behind spammers.

It would be wonderfull if this were to happen, but it probly won't because everybody just thinks: "ah hah! ADV... I'll just set this thing to auto-delete them and whala! no more spam". But if people actualy let ADV through to the inbox, all our lives collectively would be easier.


> 14. Dictionary attacks are a big problem, and RBLs can help, though a > better solution is needed.
  "RBL" is trademarked.  The generic term is DNSbl.  This is almost in
IDS (Intrusion Detection System) territory.  I'm aware of one ISP with a
cute solution.  When an attack is detected, a program kicks in that
reroutes connections from the attacking IP address.  The fake SMTP
program returns a positive for a small percentage of invalid addresses.
These eventually end up polluting "millions CDs".

You know, that gives me an idea...
[idea moved to bottom]

> 15. any solution must be adaptable.
  Agreed.

> 16. there are no "silver bullets".
  Agreed.

> 17. if there are no "silver bullets", why does a plan have to be
> one in order to be discussed?
  A plan doesn't have to be a "silver bullet".  It has to offer a lot
more long-term-gain (spam reduction) than associated short-term-pain
(implementation hassles) to be publicly acceptable.



> 18. never underestimate.
  Spammers evolve.  They started out as primitive pond scum.  They're
now advanced pond scum.

I left it open becauseyou never know what will happen.

> 19. plans change, why does every little detail need to be planned out now?
  Implementation can be a hassle.  You do *NOT* want a situation like
the early days of Netscape 1.x and 2.x when there seemed to always be a
new version-du-jour.

Yes, but while discussing new Ideas(as a reasearch group should do), specifics are usualy a later stage of development. Most Ideas do not come full formed instantly. The basic Idea comes first, then specific details are worked out. The lack of specifics does not mean an Idea cannot evolve to deal with the specifics. Only unsurmountable problems or better Ideas should impede progress, not tecnicalitys that can be worked out.

> 20. a "do not spam" list would be a bad idea.
  Agreed 100%.

> 21. Challenge response has a bad rap, but it is going to happen wether > people like it or not because it will stop "spam" in many peoples eyes.
  It can be helpful, but it is *NOT* a standalone solution.  Two changes
are required versus today's implementations...
  1) The challenge should be at the SMTP stage, not at MUA level.
  2) C/R should *NOT* be used against against *EVERY* email address that
isn't in your whitelist.  It should only be used when a DNSbl or other
rule rejects an email.  I view C/R not as a standalone solution, but
rather as a safety net for aggressive blocking.

#1 Do you mean an SMTP rejection should occur, and the error should have the challenge test in it? That would save bandwidth, and processing/storage, but then the message couldn't be delivered if a Response were not recieved. It has been mentioned that C/R shouldn't be used to block mail, but to promote it to better delivery. I now agree with that use of C/R.

#2 Agreed.

> 22. adoption is a big barrier to implimentation of any solution.
  See my response to item 17

> 23. social engeneering(PR) can play a big role in how well a solution
> is recieved.
  Agreed.

> 24. the internet is in danger if a solution to "spam" is not found soon.
  Correction.  Email, not the internet.

Many people just use the internet for e-mail. I believe "a chilling effect" was the phrase used to describe how spam was effecting internet growth. With the exponential growth of spam, I actually do feel that the internet is in danger of losing users, and of becoming an extremely unplesant experience.

> 25. ideas should be freely traded, and continually refined.
  Motherhood statement.

Yes, this was a list of my own personal thoughts on the matter of spam solutions. Free trade of ideas, I think, can solve the spam problem.

Wow, sorry this is so long, but it pretty much covers almost all my thoughts on the matter.

John Fenley


=====================================
#14:Dictionary attacks: Stopping them: would this work to?
=====================================
The reason I see for dictionary attacks, is that there is no comprehensive directory of names anywhere, and names are needed to send spams.(except DoS) The reason there is no directory of names is because people try to keep their addresses hidden to prevent spam. If spam blocking were good enough, to the point where it didn't matter where your name was posted because it wouldn't increase your spam, then a directory of real names in a domain could be posted, and dictionary attacks would stop (except for realy stupid spammers, and DoS attacks).

You effectively turn dictionary attackers into regular spammers. Then if you have a solution to stop spammers, it stops those people as well, but reduces dictionary attacks. It would also decimate parts of the spammer infrastructure and revenue stream...."Millions CDs", and advanced name harvester sales.

The basic idea is to consolidate two groups into one larger group, so that one solution can handle them all, instead of needing 2 seperate solutions. But I guess you'd still have to impliment this, so there would still need to be 2 solutions...oh well.
===================================

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>